FortiDeceptor 4.0 Best - Practices

FortiDeceptor - Best Practices
Version 4.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET VIDEO GUIDE

https://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com
FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/support-and-training/training.html
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://fortiguard.com/
END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: [email protected]
August 25, 2021

FortiDeceptor 4.0 Best Practices
50-40-740375-20210825
TABLE OF CONTENTS
Best practices 5
Customer service and technical support 5
Fortinet Knowledge Base 5
Comments on Fortinet technical documentation 5
Deception strategy 6
Deception strategy components 6
Deception strategy goals 7
Deception philosophy 7
Deception light stack vs full stack 7
Deception light stack concept 7
Deception full stack concept 8
FortiDeceptor platform 9
FortiDeceptor components 9
FortiDeceptor lures 9
FortiDeceptor decoys 10
Deploying deception 13
Deception decoy best practices 13
Example of 5-8 decoys per data-center segment (VLAN) 13
Example of 2-4 decoys per endpoint segment (VLAN) 14
Example of 7-10 decoys per OT segment (VLAN) 15
Example of 8-10 decoys per cloud segment (VPC, VNET) 16
Example of 2-4 decoys per IoT segment (VLAN) 17
Example of 2-4 decoys per Medical IoT segment (VLAN) 17
Deception lure best practices 18
Example of deception lures on Windows, MAC, or Linux endpoint segment (VLAN) 18
AD integration best practices 20
Example of custom decoys in customer network domain 20
Deployment best practices checklist 20
Network topology best practices 22
Deception deployment in HQ only 22
Deception deployment in HQ and remote offices 24
Deception deployment in HQ, remote offices, and OT sites 26
Attack vectors vs deception 28
Compromised internal endpoint using lateral movement 28
Attack vector scenario 28
Deception layer 28
Early breach detection 29
Alert details 29
Lateral movement based on AD mapping 30
Deception layer 30
Alert details 31
FortiDeceptor Best Practices Fortinet Technologies Inc.

4
Lateral movement based on Mimikatz / PTH 31

Deception layer 32
Alert details 32
Ransomware Detection & Isolation 33
Network Attack against OT network 35
Appendix A - Deploying tokens using AD GPO logon script 38
Configuring the GPO logon script 39
Appendix B - Configuring trunk ports on FortiDeceptor VM 42
Configuring FortiDeceptor 45
Configuring the vSwitch 48
Change Log 52

Best practices
This guide provides best practices principles and use cases on how to deploy FortiDeceptor in different network
topologies.
The guide covers the following topics:
Deception strategy on page 6
FortiDeceptor platform on page 9
Deploying deception on page 13
Attack vectors vs deception on page 28
Deploying tokens using AD GPO logon script on page 38
Configuring trunk ports on FortiDeceptor VM on page 42
Customer service and technical support
For firmware updates, updated product documentation, technical support information, and other resources, visit the
Fortinet Support website at https://support.fortinet.com.
When requesting technical support, for optimum results, provide as much of the following information as possible:
l Your name, and your company’s name and location
l Your email address and/or telephone number
l Your support contract number (if applicable)
l The product name and model number
l The product serial number (if applicable)
l The software or firmware version number
l A detailed description of the problem
Fortinet Knowledge Base
The most recent Fortinet technical documentation is available from the Fortinet Knowledge Base. The knowledge base
contains short how-to articles, FAQs, technical notes, product and feature guides, and much more. Visit the Fortinet
Knowledge Base at https://kb.fortinet.com.
Comments on Fortinet technical documentation
Send information about any errors or omissions in this document, or any Fortinet technical documentation, to
[email protected].

Deception strategy
The ancient war strategies by Sun Tzu says: "Know thy self, know thy enemy. A thousand battles, a thousand victories.”
This means if you know the strengths and weaknesses of your enemy, and if you know the strengths and weaknesses in
your defense system, you can win any battle. To win against cyber attackers and hackers or users with malicious
intention, the cyber security team needs to understand the attacker’s techniques and tools, as well as shortfalls in the
organization's defense system.
To understand the attack techniques and hackers’ interests in your environment, we need to understand three
techniques that can help security professionals stop attackers before a data breach happens.
l Sandboxing — This technique allows the malware to install and run in an enclosed environment where the security
team can monitor the malware's actions to identify potential risks and countermeasures.
l Honeypots — These are intentionally vulnerable systems that are meant to attract attackers. Honeypots entice
attackers to attempt to steal valuable data or further scope out the target network. Honeypots help you to
understand the process and strategy of attackers.
l Deception technologies — These are more advanced honeypot and honeynet products that offer more
automation for both detection and implementation of defenses based on the data they gather.
Deception technology is like honeypots on steroids. It has more advanced capabilities like deception lure, deception
automation, threat analysis, threat hunting, and more.
The core technology behind deception is the decoy. In general, there are several kinds — low, medium, high. To align
with FortiDeceptor technology, let's focus on two types of decoys — low Interaction and High Interaction.
l Low interaction honeypot — This decoy has limited capability of emulating enterprise applications and be used
only for detection from where the attackers are coming and what they want to exploit. These are easy for attackers
to fingerprint and bypass.
l High interaction honeypot — This decoy is identical to the enterprise systems and can run real operating
systems, applications, and services with dummy data. They allow the attacker to log in and they respond to the
attacker’s request. In this way, the decoy helps you understand the attacker's intentions, lures them for a long time
to identify how command and control infrastructure is set up.
Deception technology systems are more advanced and have more parts, breadcrumbs, baits, and lures. Deception
systems are implemented alongside enterprise systems but they are still in an isolated environment.
Deception technology systems are used to interrupt the attacker's kill chain, prolong the attack either to exhaust the
attacker’s resources or encourage attackers by providing oblivious vulnerabilities to know the identity and details of their
network and arsenals.
Deception strategy components
Deployment of enterprise-scale deception includes the following components:

l Medium interaction decoy and high interaction decoy that are deployed everywhere.
l Customizable decoys to match infrastructure and applications.
l Create and deploy lures to redirect attackers toward traps.
l Create and deploy lures with trackable misinformation.

l Threat analysis capabilities.

l Integration with existing security infrastructure for mitigation and remediation (Security Fabric and third-party).
Deception strategy goals
Deployment of enterprise-scale deception should achieve the following cybersecurity requirements and goals:
l Generate actionable, high-fidelity alerts.
l Reduce the “dwell time” of an initial compromise.
l Confuse the attacker with false assets and misinformation.
l Tackle the human attacker or APT.
l Threat intelligence regarding tactics, techniques, and procedures.
l Integrate with existing defense-in-depth architecture.
Deception philosophy
Deception philosophy is a straightforward concept. You deploy deception across the whole network infrastructure and
location which generates a fake virtual network layer that masks the real assets with a fake one.
The networks today are fluid and dynamic, so we need to be sure that every network segment and location has this
deception layer and capability.
For example:
l IT Endpoint segment — Requires deployment of lures and decoys.
l IT Servers segment — Requires deployment of lures and decoys.
l Network Devices — Requires deployment of decoys.
l IoT Devices — Requires deployment of decoys.
l OT Devices — Requires deployment of decoys.
l Data Repository — Requires deployment of honey files and decoys.
l Application segment — Requires deployment of lures and decoys.
l Network Traffic — Require decoys that generates fake network traffic and lure that creates fake network
connections and entries on the endpoint level.
l Public/Private Cloud — Requires deployment of decoys.
Deception light stack vs full stack
Deception light stack concept
The light deception concept uses a combination of endpoint lures with several high interaction decoys only as
destination targets.

Using the light deception concept against a sophisticated adversary has some significant drawbacks:
l Deception lures reside on the endpoint and if there is no in-depth customization, this can be fingerprinted.
l A sophisticated adversary that controls several endpoints might fail once and learn the deception lure logic so that
the adversary will not make the same mistake next time.
l A sophisticated adversary might not touch the deception lures if it can get high privilege at the beginning of the
attack, and the probability of finding several decoys from several thousand assets is non-existent.
l Lack of visibility around unmanaged devices (IoT/OT) where an adversary has plenty of time and space to attack
without detection.
l Simple malware spread vectors like pass the hash / single vulnerability attacks are not detected due to a lack of
decoys in the network segment level. For example, the Wannacry malware will not get detected using this
deployment stack.
Deception full stack concept
A simple explanation of the deception full stack concept is “do not let the sophisticated adversary / malware fingerprint
your fake story!”
The deception full stack addresses the drawback of the light deception concept using several deception layers’
architectures:
l Server / endpoint lures are the first layer that engages with the adversary / APT.
l A large scale of decoys that creates a fake network surface on top of the real one offering false endpoints, servers,
network devices, IoT/OT, database, files, applications, cloud, and more. This is the deception everywhere concept.
l Some of the decoys are generated from a customer “gold image” and are part of the network domain to increase the
authentic deception level.
The dynamic deception decoys module prevents the sophisticated adversary from fingerprinting the decoys by changing
the decoys' IP addresses and profile based on time or trigger.
The FortiDeceptor full stack deception concept runs deception lures with a large scale of decoys using a hybrid mode
engine that provides medium and high-level interaction decoys against the adversary / APT malware.

FortiDeceptor platform
The FortiDeceptor platform includes the following:

l FortiDeceptor components on page 9
l FortiDeceptor lures on page 9
l FortiDeceptor decoys on page 10
FortiDeceptor components
The FortiDeceptor platform includes the following components:

l FortiDeceptor Management:
l The FortiDeceptor management console manages and operates the whole platform including deployment,
configuration, alerting, analysis, and ECO system integration.

l The FortiDeceptor manager (hardware and VMs) can manage fifty or more remote FortiDeceptor devices.
l The FortiDeceptor manager appliance (hardware and VMs) supports both management and deception
capability using the same appliance (dual role).
l FortiDeceptor offers a highly-scalable three-tier architecture that combines three levels of deception:
l Server / endpoint lures ( Windows / Linux / MAC).
l Medium interaction decoys (IoT / OT).
l High interaction decoys ( Windows / Linux / FW).
You can deploy deception lures using existing infrastructure tools such as A/D GPO, MS SCCM, and so on.
A single FortiDeceptor appliance can run up to 20 deception VMs that support a total of 480 IP addresses. Each IP
address represents a single decoy (single Deception VM supports 24 IP Addresses).
You can download a deception VMs from the FortiDeceptor marketplace. You can also allow the end user admin to bring
their own gold image and convert it to a decoy using the FortiDeceptor decoy customization wizard (supported for
Win10, Win2016 and Win2019).
FortiDeceptor lures
The role of the FortiDeceptor lure package is to add breadcrumbs on real endpoints and servers, and redirect an attacker
to engage with a decoy instead of a real asset. Deception lures are typically distributed within real endpoints and servers
on the network to expand the deception surface.
Effective deception lure technology should support the following:
l Deploy deception lure data and configurations where attackers collect information.
l Deception lure location must be invisible to end users, and doesn’t affect endpoint functionality.
l Deception lure is accessible with user level permissions so that attackers can access it early on and get detected.
This saves the privileged escalation attack time.

The current FortiDeceptor Token Packages are:

l Windows:
l SMB (network drive share & credentials manager)
l RDP
l SSH (Cached credentials)
l HoneyDocs
l ARP Entries
l Linux:
l SMB (SAMBA)
l RDP (xfreerdp)
l SSH
l ARP Entries
l MAC:
l SMB (SAMBA)
l RDP (xfreerdp)
l SSH
l ARP Entries
When the FortiDeceptor Token Package is installed on a real Windows, Linux, or MAC endpoint, it increases the
deception surface and redirects an attacker to engage with a decoy instead of a real asset.
FortiDeceptor decoys
FortiDeceptor creates a network of decoys to lure attackers and monitor their activities on the network. When attackers
attack a decoy, first, an alert is generated; second, their malicious activities are captured and analyzed in real-time to
generate a mitigation and remediation response that protects the network.
The current FortiDeceptor decoys are:
l Windows:
l Windows 7
l Windows 10 (can be deployed as a gold image)
l Windows 2016 (deployed as a gold image)
l Windows 2019 (deployed as a gold image)
l Linux:
l Ubuntu Desktop
l 9 OT protocols (Modbus, ENIP, S7comm, DNP3, Triconex, IPMI, IEC-104, BACnet, GUARDIAN-AST)
l IT Protocols for OT (HTTP, SNMP, TFTP, SNMP)
l OT Vendors:
l Rockwell
l Siemens
l Schneider Electric
l IoT:

l Cisco Router (4 families)

l HP printer
l Network Camera
l Medical IoT:
l Infusion Pump
l PACS
l DICOM
l POS Decoy
l ERP Decoy
l VPN:
l Fortinet SSL-VPN (FG-60E, FG-100F, FG-1500D, FG-2000E, FG-3700D)
The current FortiDeceptor monitor services are:

l Windows:
l RDP
l SMB
l RDP
l MSSQL
l HTTP/S
l Responder attack detection (Layer 2 attack feature)
l TCPListener
l Linux
l SSH
l SAMBA
l HTTP/S
l GIT
l TCPListener
l IT/OT:
l HTTP
l FTP
l TFTP
l SNMP
l MODBUS
l S7COMM
l BACNET
l IPMI
l TRICONEX
l GUARDIAN-AST
l IEC104
l ENIP
l DNP3
l IoT:
l SNMP
l Jet-Direct

l HTTP
l Telnet
l CDP
l UPnP
l RTSP
l SSL VPN:
l HTTPS
l Medical IoT:
l HTTP/S
l FTP
l TELNET
l DICOM
l POS Decoy
l HTTP
l CRM Decoy
l HTTP
The current FortiDeceptor IP address capacity are:
l A single FortiDeceptor appliance (HW/VM) can host up to 20 deception VMs.
l A single deception VM supports up to 24 IP addresses or decoys, Each IP represent a decoy.
l A single FortiDeceptor appliance (HW/VM) can support up to 480 IP addresses.
l With 4 decoys per segment on average, a single FortiDeceptor appliance (HW/VM) can support up to 128 segments
(VLANS).

Deploying deception
To deploy FortiDeceptor to optimize the deception surface, see the following best practices.
Deception decoy best practices on page 13
Deception lure best practices on page 18
AD integration best practices on page 20
Deployment best practices checklist on page 20
Network topology best practices on page 22
Deception decoy best practices
Deception effectiveness requires deployment across all network segments and locations.
This topic provides deception deployment best practices for the decoy layer, including deployment guidelines for each
kind of network VLAN that can exist on an enterprise network.
Example of 5-8 decoys per data-center segment (VLAN)
OS
Deploy a matching decoy OS for each type of critical / sensitive IT system in this segment.
Services
Enable matching services for each type of critical / sensitive IT system in this segment and customize the services:
l Apply banner matching the network.
l Apply user access rule such as fake user and password.
l Upload fake data (SMB, FTP, HTTP).
If you do not have out-of-the-box matching services, you can use the custom TCP port listener.
Data
Upload fake data to the decoys to provide authentic engagement. If you do not have matching files, ask the
FortiDeceptor admin to provide a public files package that you can upload and generate fake data using the same
structure.
Application
Enable a false matching application for each type of critical / sensitive IT system on this segment. If you do not have a
matching application, enable high profile fake applications like ERP, POS, or PACS, and so on.

Hostname
Follow corporate standard server’s names for half the decoys and assign enticing names to the remaining half, such as
JumpHost001, ERP-XXX, MNG-XXX, Net-Monitor, and so on. Remember that we need to configure these hostnames
on the AD level as we use single deception VM across 16 IP address and we can have just one real hostname per OS.
For the rest of the IP address, we should have it virtual on the DNS level.
Attackers also like to attack servers with a hostname that has names like “-test” or “-dev” as attackers assume that these
servers are less protected.
Gold Image
Ensure you use at least two Windows servers as customer gold images that host critical applications and data. To
increase authenticity, configure them to be part of the organization domain. Please add the decoy to the network domain
during the customization wizard process.
STATIC / DHCP IP Address
For datacenter segment hosting servers that always use static IP addresses, also use static IP configuration for the
decoys.
Example of 2-4 decoys per endpoint segment (VLAN)
OS
Deploy a matching decoy OS and also an “old’ OS like Win7.
Services
Enable matching services for the endpoint on this segment.

Data
Upload fake data to the decoys to provide authentic engagement. If you do not have matching files, ask the customer to
provide a public files package that you can upload and generate fake data using the same structure.
Hostname
IT Admin, HelpDesk, DBA, Finance, and so on. Remember that we need to configure these hostnames on the AD level
as we use single deception VM across 16 IP address and we can have just one real hostname per OS. For the rest of the
IP address, we should have it virtual on the DNS level.
Gold Image
Ensure you use at least 3–4 Windows servers as customer gold images. To increase authenticity, configure them to be
part of the organization domain. Please add the decoy to the network domain during the customization wizard process.

For endpoints segment hosting desktops that always use DHCP IP addresses, also use the DHCP IP configuration for
the decoys. The DHCP configuration in FortiDeceptor 3.1 and 3.2 allows us to configure one IP per segment, so use the
static configuration in this stage to have more decoys per segment.
Example of 7-10 decoys per OT segment (VLAN)
OS
Deploy a matching decoy SCADA OS.

Deploy a matching regular IT OS such as Win7, Win10, or Win2016.
Services
Enable matching services for the OT assets on this segment and customize the services.
l Apply access rule such as fake user and password.
Data
provide a public files package that you can upload and generate fake data using the same structure. You can also use a
search engine like SHODAN.IO to find this data on the Internet and use it to customize the decoys.
Hostname
Follow the OS SCADA names for half the decoys and assign enticing names to the remaining half, such as IT Admin,
SCADA-MNG, PLC_ADMIN, HMI_SERVER, NET-MONITOR, and so on.
Application
Check if the customer is willing to provide you access to his OT software. Otherwise, use open-source OT software or
use the customize decoy option to generate this kind of decoy.
MAC ADDRESS
Ensure the OT decoy uses the appropriate MAC ADDRESS per vendor.
OT networks are mainly a static environment that does not has a DHCP server, so use static IP configuration as well for
the decoys.

Example of 8-10 decoys per cloud segment (VPC, VNET)
OS
Deploy a matching decoy OS for each type of critical / sensitive IT system in this segment.
Services
Enable matching services for each type of critical / sensitive IT system in this segment and customize the services:
l Apply user access rule such as fake user and password.
Data
provide a public files package that you can upload and generate fake data using the same structure.
Application
Enable a false matching application for each type of critical / sensitive IT system on this segment. If you do not have a
matching application, enable high profile fake applications like ERP, POS, or PACS, and so on.
Hostname
JumpHost001, WEB-XXX, DB-XXX, Sec-Monitor, and so on. Remember that we need to configure these hostnames on
the AD level as we use single deception VM across 16 IP address and we can have just one real hostname per OS. For
the rest of the IP address, we should have it virtual on the DNS level.
Attackers also like to attack servers with a hostname that has names like “-test” or “-dev” as attackers assume that these
servers are less protected.
Gold Image
Ensure you use at least two Windows servers as customer gold images that host critical applications and data. To
increase authenticity, configure them to be part of the organization domain. Please add the decoy to the network domain
during the customization wizard process.
Cloud environments mainly host servers that always use static IP addresses, so use static IPs configuration as well for
the decoys.

Example of 2-4 decoys per IoT segment (VLAN)
OS
Deploy a matching regular IoT Devices such as cisco router, Printer and IP Camera.
Services
Enable matching services for the IoT Devices on this segment and customize the services.
l Apply a banner matching the network.
l Apply access rules such as fake user and password.
l Upload fake data (fake video files, fake Cisco running configuration file).
Data
Upload fake video files or fake Cisco running configuration file to the decoys to provide authentic engagement. If you do
not have matching files, ask the customer to provide a video / running-config files package that you can upload to the
router decoy or network printer.
Hostname
Follow the IoT Device names for half the decoys and assign enticing names to the remaining half, such as Security-
Camera, Backbone-Router, Financial-Printer and more
MAC ADDRESS
Ensure the IoT decoy uses the appropriate MAC ADDRESS per vendor.
IoT devices are mainly a static environment that do not have a DHCP server. Use static IP configuration as well for the
decoys.
Example of 2-4 decoys per Medical IoT segment (VLAN)
OS
Deploy a matching medical IoT Device such as Infusion Pump, PACS and DICOM server and also several Windows
decoys such as Win7 and Win2016/2019 with SQL DB.
Services
Enable matching services for the Medical IoT Devices on this segment and customize the services.
l Apply access rule such as fake user and password.
l Upload fake data (fake medical PII files already exist).

Data
Fake medical PII files already exist.
Hostname
Follow the Medical IoT Devices names for half the decoys and assign enticing names to the remaining half, such as
MRI_SRV, PACS, PUMP001 and more
MAC ADDRESS
Ensure the medical IoT decoy uses the appropriate MAC ADDRESS per vendor.
Medical IoT devices are mainly a static environment that do not have a DHCP server, so use static IP configuration as
well for the decoys.
Deception lure best practices
Deception effectiveness requires deployment across all managed endpoints and servers.
This topic provides deception deployment best practices for the deception lure layer. For lure deployment over AD logon
script, see appendix A.
Example of deception lures on Windows, MAC, or Linux endpoint segment (VLAN)
RDP lure
l Set up several Windows server decoys that support RDP access.

l Set up appropriate decoy hostnames like Terminal-XX, VDI-XX, and so on. This increases the level of authenticity
when you add the Windows server decoys to the company domain.
l Follow company username and password policy.
l Generate 2-3 deception lures and deploy them over several different AD user groups.
SMB lure
For Windows endpoints, use either SMB lure or SAMBA lure. Do not use both.
l Set up at least two Windows server decoys that support two fake network share access.
l Generate at least two lures with two different share names.
l Use a share name similar to the company structure.
l Set up appropriate hostnames like FileSRV-XX, File-Server, and so on. This increases the level of authenticity
when you add the Windows server decoy to the company domain.


l Generate a single deception lures package and deploy it over all the network endpoints.
SAMBA lure
For Windows endpoints, use either SMB lure or SAMBA lure. Do not use both.
l Set up at least two Linux server decoys that support network share access.
l Set up appropriate hostnames like Storage-XX, Backup-Server, and so on.
l Generate at least two lures with two different share names.
l Use a share name similar to the company structure.
l Generate a single deception lures package and deploy it over all the network endpoints.
SSH lure
l Set up several Linux server decoys that support SSH access.

l Set up appropriate hostnames like JumpHost-XX, Control-XX, Cloud-XXX, and so on.
l Use a complicated password. This gives the attacker the impression that this is a critical server.
l Generate 2-3 deception lures and deploy them over the IT endpoints group only. Attackers do not expect to see
SSH clients on a regular desktop.
Cached credentials lure:
l This Deception Lure requires the Windows Decoy to be part of the network domain. The Lure option will not be
visible in the GUI until the decoy is part of the domain.
l Set up at least two customized Windows server decoys that are part of the company domain.
l Create at least 2 domain users in the network domain and restrict their access to specific IP addresses. Add the
Decoy's IP addresses to deceive the attacker. For information about setting an IP restriction on a domain user, see
Workstation Logon Restrictions (Log On To).
l Configure the above domain users in the Cached Credentials configuration. You can use the real domain user
password or fake password depending on the level of decoy engagement you would like to have.
l Generate a single deception lures package and deploy it across all the network endpoints.
If the deception user will not be part of the domain, the attacker will identify it quickly using a
simple AD request. Please ensure this lure uses a real domain user.
HoneyDocs lure:
This Deception Lure generate files (word & PDF) that will trigger an alert once a threat actor opens them.
l The HoneyDocs package will use default template files or files that the end-user uploads via the Lure resource
configuration.
l The HoneyDocs package will be part of the Windows deception lure package and will be installed in the recent
documents directory ("%user%\\Appdata\\Roaming\\Microsoft\\Windows\\Recent").
l The end-user can access the file honeydoc.json under the windows\res directory and change the file location.

ARP entries lure:
l This Deception Lure is part of all the deception packages (Windows, Linux and MAC) and inserts fake ARP entries
in the endpoint to deceive the attacker at the network level.
l This Deception lure does not require any configuration and is generated automatically.
l Note: unlike the rest of the Deception lure, this Lure requires admin credentials for installation.
Unlike the other Deception lures, the ARP entries Lure requires admin credentials for
installation.
AD integration best practices
Active Directory (AD) is Microsoft's proprietary directory service. It runs on Windows Server and allows administrators to
manage permissions and access to network resources. Active Directory stores data as objects. An object is a single
element, such as a user, group, application; or device, such as a printer.
To detect AD attack using deception technology, use the following deception configuration example.
l Deploy custom Windows decoys (Windows 10, 2016, 2019) and add them to the customer network domain.
Example of custom decoys in customer network domain
l Add several custom Windows decoys to the customer network domain.

l On the Windows domain, configure schedule task scripts to run using the fake users, such as the one from the
cache credentials lure.
l Add to each domain decoy the maximum number of IP addresses and ensure they are static IP addresses.
l On the network DNS server, configure a decoy DNS.
l Add DNS records to each decoy IP address.
l Set up attractive hostnames for each decoy IP address. For more information, see Deception decoy best
practices on page 13.

l Generate and deploy the SMB lure front in a domain decoy to avoid detection by tools like HoneyBuster.
Deployment best practices checklist
This checklist is an example of a deception deployment profiling and sizing. This example is based on a company with
one headquarters (HQ) site and two remote sites, one of which is a manufacturing site.
Deception Items Customer Deployment

Requirements
FortiDeceptor VM The VM support VMware or KVM.

appliance HW/VM


Requirements
HQ site installation Yes Deploy on the company ESXi where you have access to most of the
network VLANs. Configure the FortiDeceptor appliance to be a
Manager.
FortiDeceptor manager supports dual role and can deploy deception
in the network VLANS that exist in his environment.
Number of remote 2 Deploy a FortiDeceptor appliance on each site and connect it to the
sites FortiDeceptor manager. The FortiDeceptor manager can manage fifty
or more remote FortiDeceptor devices, including configuration,
alerting and deception VMs.
Remote sites are 1 remote office + 1 For remote office site, deploy Windows / Linux desktop decoys and
office / OT network manufacture site deception lures like SMB, RDP and cache credentials.
For remote OT site, deploy Windows / Linux and SCADA decoys.
Number of segments 30
(VLANS) to cover
Number of DC 2 Deploy Windows / Linux server decoys.

segments to cover
Customer's server Windows, Linux Deploy Windows / Linux server decoys.

OS
Critical services in SAP, web logistic Deploy ERP/POS decoy, Windows decoy with a web app and SQL
the DC segments app DB.
Number of endpoint 25 Deploy Windows / Linux desktop decoys.

segments to cover
Customer's endpoint Windows, MAC Deploy deception lures such as SMB, RDP, and cache credentials for
OS both Windows and MAC.
Customer's most SAP Deploy Windows decoy with SQL that uses SAP fake data.
important asset to
protect
Attack vectors Phishing, PTH, Deploy deception lures like SMB, RDP, and cache credentials. Follow
customer is facing lateral movement cache credentials best practice.
based on AD
Customer network's Router, printer,

IoT devices network camera,
temp sensors
Customer network's SCADA PLC, HMI Deploy Windows / Linux and SCADA decoys.
OT devices
Customer FortiGate Yes Configure Security Fabric integration for isolation mitigation
firewall solution response.


Requirements
Customer SIEM Yes Send SYSLOG from the FDC.

solution Configure a correlation rule to detect lateral movement based on
cache credentials lure.
Network topology best practices
For effective deception, you must also understand the customer's network topology, company security risks, where his
most important assets are located, and what kind of attack vectors they face or have concerns.
Several common network topologies require different deception deployment approaches.
This topic provides best practices for the following scenarios:
1. Network with data center and users at the same location.
2. Network with a data center, users at the same location, and users at remote offices.
3. Network with a data center, users at the same location, users at remote offices, and remote OT sites.
Deception deployment in HQ only
A network topology without remote location is less common today. The reasoning might be that the most important
assets are in HQ only and there is no need to deploy deception in remote sites.

This scenarios shows deploying deception in the main HQ only even if there are also remote locations.
In this scenario, follow these best practice recommendations:

l Deploy a single FortiDeceptor appliance and connect it to the network via trunk to cover most of the HQ network
VLANs.
l Deploy decoys following the best practice recommendation in Deception decoy best practices on page 13.
l On data center VLANs: 5-7 decoys per VLAN.
l On endpoint VLANs: 2-4 decoys per VLAN.
l Deploy deception lures across all manageable endpoints even if some of them are in remote sites.
l RDP
l SMB
l Cached credentials
l HoneyDocs
l SSH (on IT department desktops only)
l Fabric integration.
l If you have FortiGate, consider the integration value between FortiDeceptor and FortiGate for alert mitigation
by isolating the infected machine.

l Send SYSLOG to SIEM or any logger solution in place.

l Send SYSLOG to SOAR solution for Deception playbooks. For example, FortiSOAR has pre-built deception
playbooks for FortiDeceptor.
Deception deployment in HQ and remote offices
Network topology with remote locations is the most common enterprise network topology for installations that want to
provide the same security protection across all sites.
The level of connectivity required by remote office users is broader and will lead to a data breach if the security level is
not similar to the HQ security.

VLANs. Configure this FortiDeceptor appliance as Manager to manage the remote appliances. FortiDeceptor
manager supports dual role as Manager and Deceptor from the same appliance.
l FortiDeceptor manager can manage fifty or more remote devices using a secure & property management protocol.
l Deploy a FortiDeceptor appliance on each remote location and connect it to FortiDeceptor manager.
l On the HQ offfice, deploy decoys following the best practice recommendation in Deception decoy best practices on
page 13.


l On the remote FortiDeceptor appliance, deploy decoys according to the network asset inventory. For example,
if the remote location are only windows endpoints, deploy Windows 7/10, network printer, router and network
camera decoys
l RDP
l SMB
l SSH (on IT department desktops only)


Deception deployment in HQ, remote offices, and OT sites
Network topology with remote location (offices + OT sites) is very common for manufacturing, critical infrastructure, and
energy companies. The OT site presents a security challenge due to its environmental complexity, such as legacy OSes,
non-standard devices and protocols, and so on.

VLANs. Configure this FortiDeceptor appliance as Manager to manage the remote appliances. for manager
supports dual role as Manager and Deceptor from the same appliance.
l FortiDeceptor manager can manage fifty or more remote FortiDeceptor devices using a secure & propriety
management protocol.
l Deploy the FortiDeceptor appliance on each remote location and connect it to FortiDeceptor manager.
l On the HQ office, Deploy decoys following the best practice recommendation in Deception decoy best practices on
page 13.
l On the remote office site, deploy the FortiDeceptor appliance and deploy decoys according to the network
asset inventory. For example, if the remote location is only Windows endpoints, deploy Windows 7/10, network
printer, router and network camera decoys

l On the OT remote site, deploy the FortiDeceptor appliance and deploy decoys according to the network asset
inventory. For example, SCADA, cisco router, network printer, network camera and also Windows 7 decoys.
l RDP
l SMB
l Cached credentials
l HoneyDocs
l ARP Lure
l SSH (on IT department desktops only).


Attack vectors vs deception
This section shows the best practices for attack vectors vs deception.
Compromised internal endpoint using lateral movement on page 28
Lateral movement based on AD mapping on page 30
Lateral movement based on Mimikatz / PTH on page 31
Compromised internal endpoint using lateral movement
This scenario shows a human attacker trying to compromise an internal endpoint using lateral movements.
Attack vector scenario
An attacker uses a phishing email to compromise the internal user and get access to an internal endpoint.
The attacker then explores the compromised endpoint and collect intelligence on the network before running any
privileged escalation or lateral movement.
Attacker's possible first steps on the compromised endpoint:
l Use network commands to understand the network environment and the endpoint location, such as getting
information on critical servers and sensitive application locations.
l Access the local / network drive to find information like sensitive files, credentials, and more. The attacker is building
the lateral movement route.
l Extract / dump saved password from Windows Credential Manager, browser, or memory, whether in clear text or
hashed.
Deception layer
Use SMB deception lures that generate fake network drive fronts with a file server decoy with fake files. The fake
network drive configuration is hidden to avoid users from opening it and generating false alerts. Keep in mind that the
SMB lure also inserts fake credentials to the Windows credentials manager as well.
Use RDP deception lures that store saved usernames and passwords in the Windows Credential Manager that provides
access to a Windows / Linux server decoy.
Use Cached credentials lures that inject saved usernames and passwords in the Windows memory to detect attacks
using password dump like Mimikatz. Use a real domain user with IP restrictions.

Early breach detection
Since most users store data on the network drive, when an attacker finds that the compromised endpoint has a local disk
and network drive, the attacker will likely access the fake network drive and generate alerts.
Attackers might use a tool like MIMIKATZ to extract clear-text password. An attacker engaging with a decoy using the
extracted password generates alerts.
Alert details
The FortiDeceptor console presents the alert as a kill chain flow and presents a profile of the attacker. The alert data
includes:
l Attacker username.
l One of the most critical indicators that provide a quick answer regarding the attacker, attack stage, and phase.
l A standard user means that the attacker / attack is in the early stage. Admin-level credentials means that the
attacker / attack is in the privilege escalation phase or the attack was directed against high profile users from
the IT department.
l Compromised IP address.
l This is a critical indicator that points directly to the compromised host. Early detection prevents more persistent
points by the attacker.

l Data that has been accessed by the attacker.
l To see what data an attacker wants to access and steal, one way is to deploy interesting fake data that
resembles your organization's real data.

l Another way is to deploy a decoy file server with a structure that contains at least ten fake directories that
resemble your organization’s real server.

l You can monitor what data the attacker accesses or copies to assess the attacker's goal.
l Malicious binary.
l For example, if the attacker engages with a decoy over RDP, the attacker will likely use malicious code to get
more persistent and privilege access. So having malicious binary as a piece of evidence with the full binary
analysis helps IOC look across the network for more compromised endpoints. You can use an IOC scanner or
AV/EDR API to find the indicators across network endpoints and servers.
ECO system flow:
l Send alerts to your SIEM solution.

l Use your FortiGate Fabric integration to isolate the compromised endpoint from the network. FortiDeceptor offers
more fabric connectors for isolation.
l Deploy more decoys on the isolated segment to keep monitoring the compromised endpoint.

Lateral movement based on AD mapping
This scenario shows a human attacker trying to compromise an internal endpoint using lateral movements based on AD
mapping.
The attacker uses the compromised user credentials to passively map the network and collect information without
generating network noise.
The attacker uses the compromised user credentials to run LDAP queries against the AD to retrieve asset inventory
since all users have read-only access on AD objects.
Leveraging the AD asset inventory saves the attacker from running active port scan mapping that generates network
noise that can expose his malicious activity.
Attacker's toolkit for AD attack:
l PS script or LDAP query command tools to extract company endpoint and server assets.
l Analyze the hostname to find assets where the hostname reflects their role or dev / test servers that might not be
protected like the rest of the network.
Deception layer
l Deploy Windows decoys and add them to the network Domain

l Add DNS A record using attractive hostnames for all domain decoys' IP address. Each decoy supports up to 24 IPs.
l Use SMB deception lures that generate a fake network drive share on the endpoint that mapped front a file server
decoy with fake files. The fake network drive configuration is hidden to prevent users from opening it and generating
false alerts. Keep in mind that the SMB lure also inserts fake credentials to the Windows credentials manager as
well.
l Use RDP deception lures that store saved usernames and passwords in the Windows Credential Manager that
provides access to a Windows / Linux server decoy.
l Use Cached credentials lures that inject saved usernames and passwords in the Windows memory to detect
attacks using password dump like Mimikatz. Use a real domain user with IP restrictions.
When the attacker retrieves asset inventory from the AD and starts probing the attractive servers based on their
hostname or the fake network connection, these activities generate alerts.

Alert details
includes:
the IT department.

l Malicious binary.
ECO system flow:

Lateral movement based on Mimikatz / PTH
This scenario shows a human attacker trying to compromise an internal endpoint using lateral movements based on
Mimikatz / PTH.
The attacker looks for any powerful user in the compromised endpoint.
The attacker / APT uses an advanced tool like Mimikatz to run several attacks to extract clear text passwords from
memory or Windows Credential Manager, AD Kerberos tickets, Windows local hash, and so on.
The Mimikatz tool's goal is to get administrator-level permission and run in-depth lateral movement across the network.
Attacker's toolkit:
l Tools like Mimikatz, Meterpreter, password dump, and so on.

l Leverage services like RDP, RPC, WMI, VNC, SSH, and WINRM for lateral movement.

Deception layer
l Deploy Windows decoys and add them to the network Domain.

l Add DNS A record using attractive hostnames for all domain decoys' IP addresses. Each decoy supports up to 24
IPs.
l Use SMB deception lures that generate a fake network drive share on the endpoint that mapped front a file server
decoy with fake files. The fake network drive configuration is hidden to prevent users from opening it and generating
false alerts. Keep in mind that the SMB lure also inserts fake credentials to the Windows Credential Manager as
well.
l Use RDP deception lures that store saved usernames and passwords in the Windows Credential Manager that
provides access to a Windows / Linux server decoy.
l Use Cached credentials lures that inject saved usernames and passwords in the Windows memory to detect
attacks using password dump like Mimikatz. Use a real domain user with IP restrictions.
An attacker using fake credentials from the cache credentials or SMB or RDP lure to engage with a decoy generates
alerts.
An attacker engaging with a real asset using the fake username and password (in the cache credential lure) generate an
alert on the SIEM solution. This requires a SIEM correlation rule.
Alert details
includes:
the IT department.

l Malicious binary.
ECO system flow:
l For SIEM:
l Create a correlation rule that creates an alert on using the fake username (cache credential lure.

Ransomware Detection & Isolation
Ransomware is a form of malware that encrypts a victim's files. The attacker then demands a ransom from the victim to
restore access to the data upon payment.
There are a number of vectors ransomware can take to access a computer. One of the most common delivery systems is
phishing attacks that use malicious attachments that claimed to be a file they should trust
Ransomware attacks often uses sophisticated techniques and tactics to penetrate an organization and compromise an
endpoint. The primary goal of a ransomware attack is to encrypt your files.
Rather than fighting against this process, what would happen if, instead, you redirected the ransomware to encrypt fake
files you created intentionally and placed on the network to entice the attackers?
Attacker's toolkit:
l Phishing attack with Ransomware malware.

Deception layer
In the network topology diagram above, Deception solutions start by setting up and deploying a fake network shared
across every endpoint/server in your network.
In the network topology diagram, the fake network drive:
l Is labeled with the letter E.
l Is hidden from legitimate users to prevent them from clicking on the decoy systems and generating false alerts.
l Contains fake files and workflows that exist to expose an attacker and/or malicious ransomware.
l Is mapped using a network decoy that acts as a fake file server, complete with fake traffic and files.
FortiDeceptor can also be fully integrated into your third-party security tools, such as your Firewall, Network Access
Control, and Next-Gen AV so that all identified malicious activity can be quickly mitigated.
Once ransomware compromises an endpoint and starts to encrypt local and network drives, the decoy (fake network file
server) can immediately detect its malicious activity and leverage one of your existing security tools to automatically limit
or prevent damage, and simultaneously isolate the infected endpoint to immediately protect the rest of the network.

By attempting to encrypt the fake files, the hackers expose themselves and their intentions, as well as reveal the
existence of their malware, before they can do any damage.
An extremely powerful counterattack strategy is to deceive ransomware into running against a fake target of your
choosing to trigger an alert and reveal its criminal intentions.
Alert details
includes:
l Ransomware Alert message in the incident alert body
l A standard user means that the attacker / attack is in the early stage. Admin-level credentials mean that the
the IT department.
ECO system flow:
l For SIEM:
l Create a correlation rule that creates an alert on using the fake username (cache credential lure).
l Use your FortiGate Fabric integration to isolate the compromised endpoint from the network. FortiDeceptor
offers more fabric connectors for isolation.
l For information about detecting ransomware malware, watch this video: FortiDeceptor 3.3 Ransomware
Detection.
Network Attack against OT network
Modern OT sensors have a much broader range of capabilities. This makes them an attractive target for malicious actors
who seek to access and then migrate across the converged IT and OT environment.
OT sensors are increasingly connecting to IP networks, while this IP network allows remote access for remote support
and maintenance. The lack of network segmentation with poor, remote access policies enables cyber criminals to attack
over the internet from anywhere in the world.
A threat actor can compromise an OT network using several different vectors such as:

l External VPN connection,

l Taking advantage of the network connectivity between the enterprise network and the OT network. and
l Physical access using DSK, and many more.
Attacker's toolkit:
l Network attack tools such as NMAP, exploits, and OT based tools like mod-cli and many more.
Deception layer
In the network diagram above, Deception solutions start by setting up and deploying a fake OT and IoT decoys on the
OT network with fake legacy Windows decoys like win7.
l A remote technician support (threat actor) that uses the VPN access to connect the OT network can use the Jump-
Box machine to start moving latterly.
l At this stage, the remote technician support acts as a threat actor and will use network attack tools to map the
network.
l FortiDeceptor offers OT decoys that protect against known threats and deceive, expose and eliminate against
advanced threat actors. Our offering includes Rockwell, SIEMENS decoys, OT protocols like MODBUS, DNP3, and
many more

l Once a threat actor attacks a decoy:

l FortiDeceptor raises an alert, monitors and records the attacker's lateral movement for generating threat
intelligence
l Sends anb alert to your logging system
l Initiates a threat response by leveraging the integration with you Fortinet fabric or any other third-party tools to
mitigate and isolate the threat actor from the network
Since deception technology alerts are only tripped by unauthorized users, devices, and applications, the moment the
threat actor will probe any decoy, the FortiDeceptor will raise an alert.
Alert details
includes:
l Attacker username
l A standard user means that the attacker / attack is in the early stage. Admin-level credentials mean that the
the IT department.
l Compromised IP address
l Malicious binary
ECO system flow:
l For SIEM:
l Create a correlation rule that creates an alert on using the fake username (cache credential lure).
l Use your FortiGate Fabric integration to isolate the compromised endpoint from the network. FortiDeceptor
offers more fabric connectors for isolation.
l For information about detecting ransomware malware, watch this video: FortiDeceptor 3.3 Ransomware
Detection.

Appendix A - Deploying tokens using AD GPO logon script
FortiDeceptor generates a deception lure package based on the decoy service configuration. For example, deploying a
Windows server decoy with the services RDP and SMB, and Linux desktop decoy with the services SSH and SAMBA
generates a deception lure package named FDC_TokenPKG_XXXXXXXXX that contains the deception lure files.
The deception lure package is a zip file that has three directories containing all the relevant data and configuration for
each OS.
The deception lure for each OS uses the same concept: binary files with several JSON files that provide the decoy fake
access parameters for the lure.
There are two ways to assign logon scripts. The first is on the Profile tab of the user properties dialog in the Active
Directory Users and Computers (ADUC). The second is via Group Policy Objects (GPO).
This section provides in-depth instructions on how to deploy Windows lures using the second option via AD GPO logon
script.
The main idea for the GPO logon script distribution is:
l Place the deception lure package in a network directory that is accessible to all endpoints.
l Generate a batch file that runs under the logon script and runs each time the end user logs into the network domain.
l The batch file copies the deception lure package to the endpoint and executes it.
l After execution, the endpoint has the deception lure in place.
To prepare the GPO logon script:
1. Download the deception lure package from the FortiDeceptor Admin Console.
2. Unzip the downloaded file to a temporary location.
3. Open the unzipped file and access the windows directory.
4. Copy the following from the windows directory:
l windows_token.exe
l res directory.
5. On the AD server, go to \\%UserDNSDomain%\SysVol\domain\scripts
In this example, the domain is FDC.COM so the location is \\FDC.COM\SysVol\FDC.COM\scripts.
6. In the scripts directory, create a new directory and name it MyFiles.
7. Copy windows_token.exe and the res directory to the MyFiles directory.
8. Create a batch file named Lure.bat with the following commands. In this example, the domain is FDC.com.
set SFolder=\\FDC.COM\SysVol\FDC.COM\scripts\MyFiles
set DFolder=%UserProfile%
xcopy /H /K /F /C /Y /I "%SFolder%\windows_token.exe" "%DFolder%\windows_token.exe*"
xcopy /E /S /H /K /F /C /Y /I "%SFolder%\res" "%DFolder%\res"
start /B /WAIT /MIN "windows_token" "%DFolder%\windows_token.exe" "-non-interactive"
exit
9. To uninstall using the batch file, replace the start line with the following line:
start /B /WAIT /MIN "uninstall_windows_token" "SFolder\windows_token.exe" "uninstall" "-non-
interactive"

Configuring the GPO logon script
To configure the GPO logon script:
1. Log into the AD server and open the Group Policy Management tool.
You can also open this tool using the CLI gpmc.msc.
2. Right-click the top-level domain object (in this example, FDC.COM) and select Create a GPO in this domain, and
link it here.
This creates a new group policy object.
3. Enter a name for the new group policy object. Do not use a name that has any association with a deception
technology.
4. Right-click the new group policy object and select Edit.

5. Go to User configuration > Policies > Windows Settings > Scripts (Logon/Logoff).

6. In the right pane, double click the Logon script to configure the Logon script properties.
7. In the Logon Properties dialog box, click Show Files.

8. Copy the batch file Lure.bat that you have prepared.
9. In the Logon Properties dialog box, click Add to open the Add a Scriptdialog box.

10. Click Browse, locate the Lure.bat batch file and add it to Scripts (Logon/Logoff).
11. Click Apply and then click OK to close this window.
To enforce the group policy:
1. In the Group Policy Management console, select the new group policy object. In this example, FDC.COM.
2. In the Scope tab, verify that FDC.COM is linked.
3. In the Security Filtering section, add and remove the user groups to get the deception lure package through the
logon script.
4. In the left pane, right-click the FDC group policy object and select Enforced.

Appendix B - Configuring trunk ports on FortiDeceptor VM
This section describes how to configure trunk ports to extend VLANs between FortiDeceptor VM and ESXi vSwitch using
a single interface.
This setup requires FortiDeceptor VM v3.1 build 0061 and vSwitch ESXi v6.7.0 build 13006603.
Set up a single ESXi host with the following workloads.
l 1 FortiDeceptor VM with one decoy monitoring two network segments.
l 2 web servers in different VLANs / network segments.
l 1 vSwitch dedicated to connecting the FortiDeceptor decoy to the network segments.

FortiDeceptor VM has internal network ports. Set up FortiDeceptor VM with the following.
l Reserve port1 for device management.
l Use the other ports to deploy deception decoys.
When you initially set up FortiDeceptor, the interface configuration in Network > Interfaces is provisioned automatically.
You do not need to change this section as these network settings are just for internal use. The actual deception network
interfaces that connect to the monitored segments are configured under Deception > Deployment Network.

In this environment, port3 is used to deploy a Linux-based deception VM (decoy). The goal is to monitor network activity
in two different VLANs where the production servers reside: WebServer-1 (192.168.11.11/24) in VLAN11 and
WebServer-2 (192.168.21.21/24) in VLAN21.
The deception VM has a single network interface to monitor two different VLANs so it is necessary to configure VLAN
trunking between port3 and the ESXi vSwitch port. There is only one vSwitch to connect all the devices together using
different virtual ports for each device.

Configuring FortiDeceptor
Configure FortiDeceptor to monitor the subnet networks, one for each VLAN, using the same network port3.
To configure FortiDeceptor:
1. Go to Deception > Deployment Network and click Add New Vlan / Subnet to add the monitored segments.
2. Use the VLAN tag for each monitored subnet so that FortiDeceptor can differentiate the traffic between them.
Verify that both VLANs use port3.
3. Specify the Deploy Network IP/Mask that the deception VM use to monitor its decoys on each segment.
Ensure these IP addresses are unique and belong to the monitored subnets.
4. Go to Deception > Deployment Wizard to deploy the actual deception VM and attach the monitored segments.
5. Specify the network settings for the decoys.

FortiDeceptor automates the creation of deception VMs and decoy services to lure and expose attackers; so decoy
services on each segment require dedicated IP addresses to interact with attackers.

If you want to use a static IP address for the decoy services, click Static, then specify a single IP address or IP
address range in IP Ranges.
6. After completing VM deployment, go to Decoy & Lure Status to validate the configuration.

7. Test connectivity by pinging the decoy and the monitoring IP addresses and verify that they are reachable.
The web servers are not reachable as ESXi is not configured yet.

From the networking perspective, FortiDeceptor is ready to monitor both VLANs over port3. However, to activate the
logical trunk interface, FortiDeceptor needs to receive VLAN trunking traffic from the vSwitch port.
If you have a physical switch connected to the ESXi host, you must configure 802.1Q on the switch port that is connected
to the host uplink.
Configuring the vSwitch
To simplify configuration, we recommend using a dedicated vSwitch for the decoy and monitored segments.
The following diagram shows the vSwitch ports relationship.
On ESXi, configure the vSwitch_ FDC_Decoys vSwitch to connect both VLANs to FortiDeceptor. Then configure three
network port-groups:
1. FDC_Trunk – Port-group for the actual trunk interface between FortiDeceptor and vSwitch.
2. VLAN11 – Port-group to connect VLAN11 to vSwitch.

3. VLAN21 – Port-group to connect VLAN21 to vSwitch.
To configure the vSwitch:
1. On the ESXi client, go to Networking > Virtual Switches and add a standard virtual switch.
Just configure the vSwtich Name, remove the uplink (unless you need it), and use default values for the other
options.
2. Go to Networking > Port groups and add the port groups.

Port groups for VLAN11 and VLAN21 are similar. For each port group, specify a Name, configure the VLAN ID, and
select the Virtual switch.
3. For the FDC Trunk port, configure a special port-group.

On ESXi, you do not need to configure 802.1Q. You only need to set the port group to be a promiscuous interface
and specify 4095 for the VLAN ID so the vSwitch can send and receive traffic from the VLANs configured on
FortiDeceptor.
Select the Virtual switch and set all Security options to Accept.

4. To verify the configuration, check the vSwitch topology and ensure all devices are connected to this switch.
5. Test connectivity from FortiDeceptor to the web servers, and from each web server to the decoys connected to the
same VLAN.

l From FortiDeceptor.
l From web server 1.

Change Log
Date Change Description
2021-08-25 Initial release.

Copyright© 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the
U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.

FortiDeceptor 4.0 Best - Practices

Uploaded by

Copyright:

Available Formats

FortiDeceptor 4.0 Best - Practices

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiDeceptor 4.0 Best - Practices

Uploaded by

Copyright:

Available Formats

FortiDeceptor - Best Practices

FORTINET VIDEO GUIDE

CUSTOMER SERVICE & SUPPORT

FORTINET TRAINING & CERTIFICATION PROGRAM

END USER LICENSE AGREEMENT

August 25, 2021

FortiDeceptor Best Practices Fortinet Technologies Inc.

Lateral movement based on Mimikatz / PTH 31

FortiDeceptor Best Practices Fortinet Technologies Inc.

Customer service and technical support

Fortinet Knowledge Base

Comments on Fortinet technical documentation

FortiDeceptor Best Practices Fortinet Technologies Inc.

Deception strategy components

Deployment of enterprise-scale deception includes the following components:

FortiDeceptor Best Practices Fortinet Technologies Inc.

l Threat analysis capabilities.

Deception strategy goals

Deception light stack vs full stack

Deception light stack concept

FortiDeceptor Best Practices Fortinet Technologies Inc.

Deception full stack concept

FortiDeceptor Best Practices Fortinet Technologies Inc.

The FortiDeceptor platform includes the following:

The FortiDeceptor platform includes the following components:

configuration, alerting, analysis, and ECO system integration.

l Medium interaction decoys (IoT / OT).

l High interaction decoys ( Windows / Linux / FW).

FortiDeceptor Best Practices Fortinet Technologies Inc.

The current FortiDeceptor Token Packages are:

l SSH (Cached credentials)

l Windows 10 (can be deployed as a gold image)

l Windows 2016 (deployed as a gold image)

l Windows 2019 (deployed as a gold image)

FortiDeceptor Best Practices Fortinet Technologies Inc.

l Cisco Router (4 families)

The current FortiDeceptor monitor services are:

FortiDeceptor Best Practices Fortinet Technologies Inc.

FortiDeceptor Best Practices Fortinet Technologies Inc.

Deception decoy best practices

Example of 5-8 decoys per data-center segment (VLAN)

FortiDeceptor Best Practices Fortinet Technologies Inc.

STATIC / DHCP IP Address

Example of 2-4 decoys per endpoint segment (VLAN)

Deploy a matching decoy OS and also an “old’ OS like Win7.

Enable matching services for the endpoint on this segment.

FortiDeceptor Best Practices Fortinet Technologies Inc.

STATIC / DHCP IP Address

Example of 7-10 decoys per OT segment (VLAN)

Deploy a matching decoy SCADA OS.

STATIC / DHCP IP Address

FortiDeceptor Best Practices Fortinet Technologies Inc.

Example of 8-10 decoys per cloud segment (VPC, VNET)

STATIC / DHCP IP Address

FortiDeceptor Best Practices Fortinet Technologies Inc.

Example of 2-4 decoys per IoT segment (VLAN)

STATIC / DHCP IP Address

Example of 2-4 decoys per Medical IoT segment (VLAN)

FortiDeceptor Best Practices Fortinet Technologies Inc.